Librem Key, practical usage scenarios


#1

TL;DR summary

Let’s share experiences and usage scenarios with the Librem Key, beyond loading GPG keys on it, validating Heads/PureBoot, and decrypting LUKS.

Preface

I ordered a Librem Key and got it pretty quickly (awesome), and although it’s quite a lot thicker than my old YubiKey I like it. Hopefully in the future we’ll see a USB-C variant…

So I received it and started reading https://docs.puri.sm/Librem_Key/Getting_Started/User_Manual.html

Already having plenty of GPG keys I tried to adapt the instructions to my use case, not realizing that “keytocard” would MOVE my keys to the Librem Key (from now on I will simply write Key with a capital K to differentiate from a gpg key with a lower case k) rather than copy them. No big deal, I have backups.

OK so great. I can put 3 keys (one for signing, one for encryption, one for authentication) on the Key.

Now on to the actual questions. What can I do, and how should I set up my environment(s) to use the Key properly? This question goes beyond the simple setup and adding GPG keys to the Key. Beyond using it with Heads and PureBoot and LUKS. I don’t have a Librem laptop, and in fact I’m using Fedora on my Mac Mini but distro-hopping. My main machines are still macOS.

What do I do with it??

GPG

So I can put 3 GPG keys on it, great. Are there recommendations about what can be done and how I use these keys? Up until now, each email address I own have had their own GPG keys. That won’t work with the Key however, since I can only store 1 key of each type. Can I somehow use the keys on the Key to unlock my other keys? Or will I be limited to only using the Key with one email acount?

Other uses - TOTP, HOTP, password management ???

On the technical specs, we can see the following:

  • Key slots: Three key slots supporting RSA 2048-4096 bit and ECC 256-512 bit
  • One-time password storage: 3x HOTP (RFC 4226), 15 x TOTP (RFC 6238)
  • Integrated password manager: 16 entries
  • Random number generator: 40 kbit/s true random number generator

How do I make use of the one time passwords, integrated password manager, and random number generator?

So this Key is a rebranded NitroKey. I went and downloaded the NitroKey app, only to find out that in both Fedora and macOS, the Librem Key is not recognized or detected. Great. I’ve seen some mentions about the macOS ccid driver being out of date, but that was for prior versions on of the OS. Currently my Mac has version 1.4.27, and the NitroKey apparently needs 1.4.21 or greater. Yet it’s still not detected by their app.

On Fedora it might be because the key is not recognized at all unless I’m root, which is a whole other issue… How would I get it detected by the user? This goes for the gpg utility as well, which doesn’t detect the card unless I’m root. Needless to say I don’t want to use the card with only root.

Perhaps PureOS handles that properly so I might have to check how it’s done there…

Conclusion

So essentially, the documentation is sparse and incomplete, it would be nice to get more info about it, and share experiences with other users on here.

If I had one more item in my wishlist, would be for the NitroKey and future Librem Keys to include U2F/Fido as well all in one package, like the Yubico provides… That and USB-C support.


#2

Nope, it’s not. It is produced by NitroKey, but it is completely different model, made by them specifically for Purism. No wonder it won’t be detected by Nitrokey’s tools.


#3

Ok, small but important distinction, thanks for clarifying.

On the other hand NitroKey support said there would be an update to their app (if they have relevant information already, https://github.com/Nitrokey/libnitrokey/issues/162) that would be able to detect the Purism Key, at the end of this month… Without that however, how would one take advantage of all the features of the Librem Key?


#4

Follow-up, I can at least use the Key with a non-root user in Feodra now, after adding the line:

ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

To the existing /etc/udev/rules.d/41-nitrokey.rules file I obtained from the NitroKey forums, restarting systemd-udev with sysemctl and re-plugging the Key. So that’s progress!

Full contents of my 41-nitrokey.rules:

# Nitrokey U2F
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0"

SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
ACTION!="add", GOTO="gnupg_rules_end"

# USB SmartCard Readers
## Crypto Stick 1.2
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Pro
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Storage
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey Start
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Nitrokey HSM
ATTR{idVendor}=="20a0", ATTR{idProduct}=="4230", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"
## Purism Key
ATTR{idVendor}=="316d", ATTR{idProduct}=="4c4b", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", TAG+="uaccess"

LABEL="gnupg_rules_end"


# Nitrokey Storage dev Entry
KERNEL=="sd?1", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4109", SYMLINK+="nitrospace"